haoqili / mozsecworld Goto Github PK
View Code? Open in Web Editor NEWMozilla Secure World
Home Page: https://wiki.mozilla.org/WebAppSec/MozSecureWorld
License: BSD 3-Clause "New" or "Revised" License
Mozilla Secure World
Home Page: https://wiki.mozilla.org/WebAppSec/MozSecureWorld
License: BSD 3-Clause "New" or "Revised" License
so many print statements
look at ratelimit kitsune's recaptcha changes in more detail, compare to how I did it.
can log in with correct password and username even when recaptcha is entered incorrectly.
Following the PEP 8 guideline.
when not logged in, trying to click on "@login_required", e.g. msw index for now, gets bad url with "?next=": "http://10.250.3.248:8000/en-US/msw/templates/?next=/en-US/msw/"
TODO:
ACCESS CONTROL Presentation, Business, Data Layer Access Control Presentation and Data layers use decorators Read about presentation layer protection (Possible) Two tier design for admin account separation The picture of separate control of changing passwords
DONE:
Even when they don't have set in settings.py: 'CSP_OPTIONS = ("eval-script",)'
problem seen on Firebug:
call to setInterval blocked by CSP recaptcha.js (line 23)
Because setInterval() is blocked by CSP.
Put 10 passwords on page to show people that they should not use common passwords.
Have a user friendly way of telling people to pick better passwords if they picked a common password
In firebug
CSP: Directive "inline script base restriction" violated Recaptcha.widget = Recaptcha.$("recaptch...
I saw the same bug and they fixed it by updating jQuery to 1.5. Well I updated it to 1.6.2 and it's still not working!
(also check out #40)
just discovered.
set_cookie_httponly/demo/
Even if I set SESSION_COOKIE_HTTPONLY = False
it still doesn't show up! (setting it back to true for now)
big one
also do #18 change 79 columns
And follow other JS guidelines
Warnings from firebug:
CSP: Directive "inline script base restriction" violated onclick attribute on A element CSP: Directive "object-src 'none'" violated by https://www.google.com/recaptcha/api//img/audiocaptcha.swf?v2
Gotta fix some onclicks ... bsterne suggested:
"add an id and then from external script say document.getElementById(your_id).onclick = your_function"
I also have http://curioushq.blogspot.com/2011/07/when-you-cant-onclick.html
possibly looking at kitsune's ratelimit new changes and see how they do recaptcha
TODO:
ask Michael what to do with CSP
--> allow eval for setInterval?
--> allow inline?
--> make our own to get around setInterval?
--> make our own to get around in-body script?
start on Access Control
ACCESS CONTROL Presentation, Business, Data Layer Access Control Presentation and Data layers use decorators Read about presentation layer protection (Possible) Two tier design for admin account separation The picture of separate control of changing passwords
DONE:
TODO:
Done:
TODO:
DONE:
only private data in settings_local
Django docs say:
validation of a Form is split into several steps ...
Can't find these things in source code:
# src/django/django/forms/forms.py def clean(self): """ Hook for doing any extra form-wide cleaning after Field.clean() been called on every field. Any ValidationError raised by this method will not be associated with a particular field; it will have a special-case association with the field named '__all__'. """ return self.cleaned_data
What does that mean? where does it check all the bullets?
TODO:
OTHERS:
DONE:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.